netbsd-bugs: bin/10996: skey(1) rejects short passwords

Subject: bin/10996: skey(1) rejects short passwords
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 09/11/2000 23:21:19

>Number:         10996
>Category:       bin
>Synopsis:       skey(1) rejects short passwords
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 11 23:22:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator:     Jun-ichiro itojun Hagino
>Release:        current, 20000911
>Organization:
	itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 1.5E NetBSD 1.5E (STARFRUIT) #110: Mon Sep 11 15:51:45 JST 2000 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386


>Description:
	skey(1) does not accept short secret password.  if the remote end
	sets up skey login information with short secret password, there is
	no way to login from netbsd-current box.

	it makes sense to restrict password length with skeyinit(1), but i see
	less sense in restricting it with skey(1).  we have no choice in
	selecting skey secret password length, if other people have set it up.
>How-To-Repeat:
	have a remote host with skey login setup, and with short secret
	password.  try to login the remote host from a netbsd-current box.
	use /usr/bin/skey.  get in trouble.
>Fix:
	remove the following portion from usr.bin/skey/skey.c.

	if(strlen(passwd) < SKEY_MIN_PW_LEN)
		errx(1, "password must be at least %d long", SKEY_MIN_PW_LEN);
>Release-Note:
>Audit-Trail:
>Unformatted: